How easily can frausters hack contactless payments?

By Marianne Curphey

Just how easy is it for criminals to steal data from your mobile or contactless card while you are out shopping? According to some experts, very easy. But there are steps you can take to protect yourself when you use contactless payments, which are becoming more popular.

Security experts warn of easy hacks
Some experts warn that Mobile Point of Sale (MPOS) devices -- which thousands of shops and retailers in the UK use to process mobile or contactless card payments -- can be easily hacked.contactless-security

Information security firm MWR InfoSecurity says these devices are vulnerable to attacks from a number of different sources, leaving banks, retailers and millions of customers exposed to serious fraud.

Jonathan Butler, head of research at MWR InfoSecurity, says there are a number of measures that consumers can take to protect themselves, but it is up to the retailer to ensure the payment terminals are secure from attack.

"Consumers on the high street do not have a viable way to ensure the payment terminal they are using has been securely designed and implemented," he says. "[The vendor] should be conducting thorough security assessments of their products, [and retailers] should be ensuring that they implement these devices in a secure fashion."

Payments industry downplays threat
David Wilson, Head of Software Development at Sage Pay Ireland, says that the only reason you would need to worry is if your phone has malware on it. Only then would entering card details on your phone or using your phone as a contactless payment device be dangerous, according to Wilson.

"Some people believe that contactless card payments are highly insecure, and understandably so," Wilson says.

He explains that it is possible to use a card reader to attain card details from a contactless payment by "eavesdropping" on the transaction -- reading your card while you make a transaction. However, he says many people don't realise that a card reader must be about 4 centimetres from the card to read the details.

In fact, Wilson says, the main threat is still old-fashioned "shoulder surfing", where an attacker watches you enter your PIN at the point of sale or ATM, then either physically steals your card or takes your information from a theft device installed on the POS or ATM -- making contactless cards a safer method than magnetic strip cards.

Providers take action to prevent fraud
Card providers are now able to analyse card use to try to spot the early warning signs of criminal activity. For example, some are using a programme developed by the US credit scoring company FICO that uses real-time fraud calculations to protect against payment fraud. The software helps stop organised criminal rings by exposing links between one suspicious person or activity and others that have gone undetected.

"Stopping payment fraud is a balancing act that requires payment card providers to protect their cardholders without inconveniencing them," said Dr. Andrew Jennings, chief analytics officer at FICO.

Michael De Jongh -- vice president of sales and marketing at Judo Payments, a mobile payments technology provider -- says card issuers and merchants are looking at sharing information about the location of devices and cards as a precaution against fraud.

In other words, issuers and merchants could look at where your credit card is being used and where your mobile phone is to head off fraudulent activity. If your phone is in the UK, and your card is being used in the US, it would send up a red flag.

Tips for preventing contactless fraud
Never open untrusted files or view untrusted websites. If you are going to enter sensitive information, make sure you are using an encrypted HTTPS connection (which should display a padlock icon or green URL bar).

2. Choose secure passwords and PINs, and update them regularly.

3. Check details of transactions on your mobile banking platforms, and look carefully at your credit card and bank statements.

4. Notify your bank or card issuer immediately if you notice suspicious activity on your account.


See related: How payments will evolve in the next decade, Card clash: What is it, and how to avoid it

Published: 1 July 2014